We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.
  1. Home
  2. Security

Warning: Disabling the verification of SSL certificates can lead to man-in-the-middle attacks.

When leaving the line : $this->amazonSes->disable_ssl_verification(); in this code:

private function amazonSESSend($raw)
    {
        if ($this->amazonSes == null) {

            $this->amazonSes = new \AmazonSES(
                array("key" => $this->config->amazon->AWSAccessKeyId,
                "secret" => $this->config->amazon->AWSSecretKey)
            );

            $this->amazonSes->disable_ssl_verification();
        }

as it is I am getting this error:

Warning: Disabling the verification of SSL certificates can lead to man-in-the-middle attacks.
It is potentially unsafe and highly discouraged.
in C:\wamp\www\vokuro\vendor\amazonwebservices\aws-sdk-for-php\sdk.class.php on line 536

so, I commented it out like that: 

private function amazonSESSend($raw)
    {
        if ($this->amazonSes == null) {

            $this->amazonSes = new \AmazonSES(
                array("key" => $this->config->amazon->AWSAccessKeyId,
                "secret" => $this->config->amazon->AWSSecretKey)
            );

            // $this->amazonSes->disable_ssl_verification();
        }

and now it's gone.

So I have 2 questions:

1) Why did the developer who created Vokuro put this line there in the first place? Why disabling SSL?

2) What happens if I continue using Vokuro app with commented line like this:

Thank you for the explanation.



125.8k

1) Only the developer can say for sure, but if I had to guess, I'd say putting that line in there stopped some error from happening. Fixing the error properly would have been beyond the scope of Vokuro. Vokuro was created more as an example application, than an actual production-level application.

2) Possibly nothing wil happen. It would appear the default behaviour for AmazonSES is to verify SSL connections before using them. If the connection can't be verified, then an error will be displayed. Amazon is right, though, when they say disabling SSL verification is a bad idea.